diff --git a/addons/PPP/nx_ppp.c b/addons/PPP/nx_ppp.c index 7b92ad4..b30d698 100644 --- a/addons/PPP/nx_ppp.c +++ b/addons/PPP/nx_ppp.c @@ -1394,7 +1394,7 @@ UINT status; /* FUNCTION RELEASE */ /* */ /* _nx_ppp_receive_packet_process PORTABLE C */ -/* 6.1 */ +/* 6.1.2 */ /* AUTHOR */ /* */ /* Yuxin Zhou, Microsoft Corporation */ @@ -1433,6 +1433,10 @@ UINT status; /* 05-19-2020 Yuxin Zhou Initial Version 6.0 */ /* 09-30-2020 Yuxin Zhou Modified comment(s), */ /* resulting in version 6.1 */ +/* 11-09-2020 Yuxin Zhou Modified comment(s), */ +/* improved packet length */ +/* verification, */ +/* resulting in version 6.1.2 */ /* */ /**************************************************************************/ void _nx_ppp_receive_packet_process(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr) @@ -1441,6 +1445,7 @@ void _nx_ppp_receive_packet_process(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr) UINT protocol; UINT ppp_ipcp_state; UINT code; +UINT length; #ifndef NX_PPP_DISABLE_INFO @@ -1489,6 +1494,20 @@ UINT code; /* Return. */ return; } + + /* Get the message length. */ + length = (((UINT) packet_ptr -> nx_packet_prepend_ptr[4]) << 8) | ((UINT) packet_ptr -> nx_packet_prepend_ptr[5]); + + /* Check if the packet length is equal to message length plus 2 bytes protocal type. */ + if ((length + 2) != packet_ptr -> nx_packet_length) + { + + /* Release the packet. */ + nx_packet_release(packet_ptr); + + /* Return. */ + return; + } } /* Determine if the packet is LCP. */ @@ -2182,7 +2201,7 @@ NX_PACKET *packet_ptr; /* FUNCTION RELEASE */ /* */ /* _nx_ppp_lcp_state_machine_update PORTABLE C */ -/* 6.1 */ +/* 6.1.2 */ /* AUTHOR */ /* */ /* Yuxin Zhou, Microsoft Corporation */ @@ -2225,6 +2244,10 @@ NX_PACKET *packet_ptr; /* 05-19-2020 Yuxin Zhou Initial Version 6.0 */ /* 09-30-2020 Yuxin Zhou Modified comment(s), */ /* resulting in version 6.1 */ +/* 11-09-2020 Yuxin Zhou Modified comment(s), */ +/* improved packet length */ +/* verification, */ +/* resulting in version 6.1.2 */ /* */ /**************************************************************************/ void _nx_ppp_lcp_state_machine_update(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr) @@ -2233,6 +2256,7 @@ void _nx_ppp_lcp_state_machine_update(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr) UINT configure_status; UCHAR *lcp_message_ptr; UCHAR code; +UINT status; /* Determine if a packet is present. If so, derive the event from the packet. */ if (packet_ptr) @@ -2460,8 +2484,14 @@ UCHAR code; /* The peer has sent a configuration request. */ /* Retrieve configuration. */ - configure_status = _nx_ppp_lcp_configuration_retrieve(ppp_ptr, packet_ptr, ppp_ptr -> nx_ppp_peer_naked_list, ppp_ptr -> nx_ppp_rejected_list); - + status = _nx_ppp_lcp_configuration_retrieve(ppp_ptr, packet_ptr, ppp_ptr -> nx_ppp_peer_naked_list, ppp_ptr -> nx_ppp_rejected_list, &configure_status); + + /* Discard invalid packet. */ + if (status) + { + return; + } + /* Determine if the configuration request is fine or needs to be negotiated further. */ if (configure_status == 0) { @@ -2531,7 +2561,13 @@ UCHAR code; /* The peer has sent a configuration request. */ /* Retrieve configuration. */ - configure_status = _nx_ppp_lcp_configuration_retrieve(ppp_ptr, packet_ptr, ppp_ptr -> nx_ppp_peer_naked_list, ppp_ptr -> nx_ppp_rejected_list); + status = _nx_ppp_lcp_configuration_retrieve(ppp_ptr, packet_ptr, ppp_ptr -> nx_ppp_peer_naked_list, ppp_ptr -> nx_ppp_rejected_list, &configure_status); + + /* Discard invalid packet. */ + if (status) + { + return; + } /* Determine if the configuration request is fine or needs to be negotiated further. */ if (configure_status == 0) @@ -2733,7 +2769,13 @@ UCHAR code; /* The peer has sent a configuration request. */ /* Retrieve configuration. */ - configure_status = _nx_ppp_lcp_configuration_retrieve(ppp_ptr, packet_ptr, ppp_ptr -> nx_ppp_peer_naked_list, ppp_ptr -> nx_ppp_rejected_list); + status = _nx_ppp_lcp_configuration_retrieve(ppp_ptr, packet_ptr, ppp_ptr -> nx_ppp_peer_naked_list, ppp_ptr -> nx_ppp_rejected_list, &configure_status); + + /* Discard invalid packet. */ + if (status) + { + return; + } /* Determine if the configuration request is fine or needs to be negotiated further. */ if (configure_status == 0) @@ -3330,7 +3372,7 @@ NX_PACKET *packet_ptr; /* FUNCTION RELEASE */ /* */ /* _nx_ppp_lcp_configuration_retrieve PORTABLE C */ -/* 6.1 */ +/* 6.1.2 */ /* AUTHOR */ /* */ /* Yuxin Zhou, Microsoft Corporation */ @@ -3345,12 +3387,14 @@ NX_PACKET *packet_ptr; /* ppp_ptr PPP instance pointer */ /* naked_list List of NAKed options */ /* rejected_list List of rejected options */ +/* configure_status Returned configration status: */ +/* 0 -> Success */ +/* 1 -> NAKed options */ +/* 2 -> Rejected options */ /* */ /* OUTPUT */ /* */ -/* 0 -> Success */ -/* 1 -> NAKed one or more options */ -/* 2 -> Rejected on or more options */ +/* status Completion status */ /* */ /* CALLS */ /* */ @@ -3367,19 +3411,26 @@ NX_PACKET *packet_ptr; /* 05-19-2020 Yuxin Zhou Initial Version 6.0 */ /* 09-30-2020 Yuxin Zhou Modified comment(s), */ /* resulting in version 6.1 */ +/* 11-09-2020 Yuxin Zhou Modified comment(s), */ +/* improved packet length */ +/* verification, */ +/* resulting in version 6.1.2 */ /* */ /**************************************************************************/ -UINT _nx_ppp_lcp_configuration_retrieve(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr, UCHAR *naked_list, UCHAR *rejected_list) +UINT _nx_ppp_lcp_configuration_retrieve(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr, UCHAR *naked_list, UCHAR *rejected_list, UINT *configure_status) { UINT option_index, nak_list_index, rejected_list_index; -UINT len, status = 0; +UINT len; UINT type; UINT counter; ULONG authentication_protocol; UCHAR *option_data; + /* Initialize the configure status. */ + *configure_status = 0; + /* Clear both the NAKed and rejected list length. */ naked_list[0] = 0; rejected_list[0] = 0; @@ -3400,7 +3451,9 @@ UCHAR *option_data; /* Check if the length is valid. */ if ((len < 2) || (len > (packet_ptr -> nx_packet_length - (option_index - 2)))) - return(2); + { + return(NX_PPP_BAD_PACKET); + } /* Set a pointer to option data. */ option_data = &packet_ptr -> nx_packet_prepend_ptr[option_index]; @@ -3420,7 +3473,7 @@ UCHAR *option_data; /* Determine if the MRU is too small. */ if (ppp_ptr -> nx_ppp_mru < NX_PPP_MINIMUM_MRU) { - status |= 1; + *configure_status |= 1; /* Default the MRU. */ ppp_ptr -> nx_ppp_mru = NX_PPP_MRU; @@ -3473,7 +3526,7 @@ UCHAR *option_data; /* Check to see if we don't have any authentication protocols enabled. */ if (ppp_ptr -> nx_ppp_generate_authentication_protocol == 0) { - status |= 2; + *configure_status |= 2; /* Check if out of boundary. */ if ((rejected_list_index + len) > NX_PPP_OPTION_MESSAGE_LENGTH) @@ -3491,7 +3544,7 @@ UCHAR *option_data; /* Determine if this peer has PAP enabled. */ if (ppp_ptr -> nx_ppp_generate_authentication_protocol == NX_PPP_PAP_PROTOCOL) { - status |= 1; + *configure_status |= 1; /* Check if out of boundary. */ if ((nak_list_index + 4) > NX_PPP_OPTION_MESSAGE_LENGTH) @@ -3511,7 +3564,7 @@ UCHAR *option_data; /* Determine if this peer has CHAP enabled. */ if (ppp_ptr -> nx_ppp_generate_authentication_protocol == NX_PPP_CHAP_PROTOCOL) { - status |= 1; + *configure_status |= 1; /* Check if out of boundary. */ if ((nak_list_index + 5) > NX_PPP_OPTION_MESSAGE_LENGTH) @@ -3538,7 +3591,7 @@ UCHAR *option_data; /* Now determine if something other than CHAP MD5 was requested. */ if (option_data[2] != 0x05) { - status |= 1; + *configure_status |= 1; /* Check if out of boundary. */ if ((nak_list_index + 5) > NX_PPP_OPTION_MESSAGE_LENGTH) @@ -3578,7 +3631,7 @@ UCHAR *option_data; default: - status |= 2; + *configure_status |= 2; /* Check if out of boundary. */ if ((rejected_list_index + len) > NX_PPP_OPTION_MESSAGE_LENGTH) @@ -3593,9 +3646,15 @@ UCHAR *option_data; break; } } - + + /* Check if packet length is valid. */ + if (option_index != packet_ptr -> nx_packet_length) + { + return(NX_PPP_BAD_PACKET); + } + /* Return status. */ - return(status); + return(NX_SUCCESS); } @@ -6030,7 +6089,7 @@ UINT name_length; /* FUNCTION RELEASE */ /* */ /* _nx_ppp_ipcp_state_machine_update PORTABLE C */ -/* 6.1 */ +/* 6.1.2 */ /* AUTHOR */ /* */ /* Yuxin Zhou, Microsoft Corporation */ @@ -6071,6 +6130,10 @@ UINT name_length; /* 05-19-2020 Yuxin Zhou Initial Version 6.0 */ /* 09-30-2020 Yuxin Zhou Modified comment(s), */ /* resulting in version 6.1 */ +/* 11-09-2020 Yuxin Zhou Modified comment(s), */ +/* corrected the NAKed list */ +/* pointer, */ +/* resulting in version 6.1.2 */ /* */ /**************************************************************************/ void _nx_ppp_ipcp_state_machine_update(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr) @@ -6434,7 +6497,7 @@ UCHAR code; /* Yes, there are rejected options so send a new request. */ _nx_ppp_ipcp_response_send(ppp_ptr, NX_PPP_IPCP_CONFIGURE_REJECT, &ppp_ptr -> nx_ppp_rejected_list[1], ppp_ptr -> nx_ppp_rejected_list[0], NX_NULL); } - else if (ppp_ptr -> nx_ppp_naked_list[0] != 0) + else if (ppp_ptr -> nx_ppp_peer_naked_list[0] != 0) { /* Yes, there are naked options so send a new request. */ @@ -6718,7 +6781,7 @@ UCHAR code; /* FUNCTION RELEASE */ /* */ /* _nx_ppp_ipcp_configure_check PORTABLE C */ -/* 6.1 */ +/* 6.1.2 */ /* AUTHOR */ /* */ /* Yuxin Zhou, Microsoft Corporation */ @@ -6756,6 +6819,10 @@ UCHAR code; /* 05-19-2020 Yuxin Zhou Initial Version 6.0 */ /* 09-30-2020 Yuxin Zhou Modified comment(s), */ /* resulting in version 6.1 */ +/* 11-09-2020 Yuxin Zhou Modified comment(s), */ +/* improved packet length */ +/* verification, */ +/* resulting in version 6.1.2 */ /* */ /**************************************************************************/ UINT _nx_ppp_ipcp_configure_check(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr, UCHAR *naked_list, UCHAR *rejected_list, UCHAR *good_data) @@ -6777,12 +6844,6 @@ UCHAR option; /* Subtract 4 to remove the code, id, and length bytes from the length. */ length = length - 4; - /* Check for valid packet length. */ - if ((length + 6) > packet_ptr -> nx_packet_length) - { - return(NX_FALSE); - } - /* Initialize the rejected and naked lists. */ rejected_list[0] = naked_list[0] = good_data[0] = 0; @@ -6823,7 +6884,7 @@ UCHAR option; { /* Check if out of boundary. */ - if ((good_index + 6) > NX_PPP_OPTION_MESSAGE_LENGTH) + if ((opt_length != 4) || ((good_index + 6) > NX_PPP_OPTION_MESSAGE_LENGTH)) return(NX_FALSE); /* IP address option. */ @@ -6842,7 +6903,7 @@ UCHAR option; } /* Adjust the main index. */ - w += (opt_length + good_index); + w += 6; /* Check if we really have an IP address. */ if (!ip_stat) @@ -6897,8 +6958,8 @@ UCHAR option; { /* Check if out of boundary. */ - if ((good_index + 6) > NX_PPP_OPTION_MESSAGE_LENGTH) - break; + if ((opt_length != 4) || ((good_index + 6) > NX_PPP_OPTION_MESSAGE_LENGTH)) + return(NX_FALSE); /* Only request a hint if we don't have already have a dns address . */ good_data[good_index++] = NX_PPP_DNS_SERVER_OPTION; @@ -6915,7 +6976,7 @@ UCHAR option; } /* Adjust the main index. */ - w += (opt_length + 2); + w += 6; /* Check if we really have an primary DNS address. */ if (!ip_stat) @@ -6969,8 +7030,8 @@ UCHAR option; { /* Check if out of boundary. */ - if ((good_index + 6) > NX_PPP_OPTION_MESSAGE_LENGTH) - break; + if ((opt_length != 4) || ((good_index + 6) > NX_PPP_OPTION_MESSAGE_LENGTH)) + return(NX_FALSE); /* Only request a hint if we don't have already have a dns address . */ good_data[good_index++] = NX_PPP_DNS_SECONDARY_SERVER_OPTION; @@ -6987,7 +7048,7 @@ UCHAR option; } /* Adjust the main index. */ - w += (opt_length + 2); + w += 6; /* Check if we really have an primary DNS address. */ if (!ip_stat) @@ -7240,7 +7301,7 @@ UINT index; /* FUNCTION RELEASE */ /* */ /* _nx_ppp_ipcp_response_extract PORTABLE C */ -/* 6.1 */ +/* 6.1.2 */ /* AUTHOR */ /* */ /* Yuxin Zhou, Microsoft Corporation */ @@ -7274,6 +7335,10 @@ UINT index; /* 05-19-2020 Yuxin Zhou Initial Version 6.0 */ /* 09-30-2020 Yuxin Zhou Modified comment(s), */ /* resulting in version 6.1 */ +/* 11-09-2020 Yuxin Zhou Modified comment(s), */ +/* improved packet length */ +/* verification, */ +/* resulting in version 6.1.2 */ /* */ /**************************************************************************/ void _nx_ppp_ipcp_response_extract(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr) @@ -7295,12 +7360,6 @@ ULONG length; else length = 0; - /* Check for valid packet length. */ - if ((length + 6) > packet_ptr -> nx_packet_length) - { - return; - } - /* Loop to parse the options to look for primary DNS address. */ i = 6; while (length) diff --git a/addons/PPP/nx_ppp.h b/addons/PPP/nx_ppp.h index 2a5e90c..854bc13 100644 --- a/addons/PPP/nx_ppp.h +++ b/addons/PPP/nx_ppp.h @@ -26,7 +26,7 @@ /* APPLICATION INTERFACE DEFINITION RELEASE */ /* */ /* nx_ppp.h PORTABLE C */ -/* 6.1 */ +/* 6.1.2 */ /* AUTHOR */ /* */ /* Yuxin Zhou, Microsoft Corporation */ @@ -45,6 +45,10 @@ /* 05-19-2020 Yuxin Zhou Initial Version 6.0 */ /* 09-30-2020 Yuxin Zhou Modified comment(s), */ /* resulting in version 6.1 */ +/* 11-09-2020 Yuxin Zhou Modified comment(s), */ +/* improved packet length */ +/* verification, */ +/* resulting in version 6.1.2 */ /* */ /**************************************************************************/ @@ -786,7 +790,7 @@ void _nx_ppp_lcp_state_machine_update(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr) void _nx_ppp_lcp_code_reject(NX_PPP *ppp_ptr, UCHAR *lcp_ptr); void _nx_ppp_lcp_configure_reply_send(NX_PPP *ppp_ptr, UINT configure_status, UCHAR *lcp_ptr, UCHAR *naked_list, UCHAR *rejected_list); void _nx_ppp_lcp_configure_request_send(NX_PPP *ppp_ptr); -UINT _nx_ppp_lcp_configuration_retrieve(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr, UCHAR *naked_list, UCHAR *rejected_list); +UINT _nx_ppp_lcp_configuration_retrieve(NX_PPP *ppp_ptr, NX_PACKET *packet_ptr, UCHAR *naked_list, UCHAR *rejected_list, UINT *configure_status); void _nx_ppp_lcp_nak_configure_list(NX_PPP *ppp_ptr, UCHAR *naked_list); void _nx_ppp_lcp_terminate_ack_send(NX_PPP *ppp_ptr); void _nx_ppp_lcp_terminate_request_send(NX_PPP *ppp_ptr); diff --git a/common/inc/nx_api.h b/common/inc/nx_api.h index 26f1a78..5ab8b85 100644 --- a/common/inc/nx_api.h +++ b/common/inc/nx_api.h @@ -26,7 +26,7 @@ /* APPLICATION INTERFACE DEFINITION RELEASE */ /* */ /* nx_api.h PORTABLE C */ -/* 6.1 */ +/* 6.1.2 */ /* AUTHOR */ /* */ /* Yuxin Zhou, Microsoft Corporation */ @@ -49,6 +49,9 @@ /* ThreadX version check, */ /* updated product constants, */ /* resulting in version 6.1 */ +/* 11-09-2020 Yuxin Zhou Modified comment(s), and */ +/* updated product constants, */ +/* resulting in version 6.1.2 */ /* */ /**************************************************************************/ @@ -357,7 +360,7 @@ VOID _nx_trace_event_update(TX_TRACE_BUFFER_ENTRY *event, ULONG timestamp, ULONG #define AZURE_RTOS_NETX #define NETX_MAJOR_VERSION 6 #define NETX_MINOR_VERSION 1 -#define NETX_PATCH_VERSION 0 +#define NETX_PATCH_VERSION 2 /* The following symbols are defined for backward compatibility reasons.*/ #define EL_PRODUCT_NETX